January 23, 2025 By Sergiu Gatlan
QNAP has fixed six rsync vulnerabilities that could let attackers gain remote code execution on unpatched Network Attached Storage (NAS) devices.
Rsync is an open-source file synchronization tool that supports direct file syncing via its daemon, SSH transfers via SSH, and incremental transfers that save time and bandwidth.
It's widely used by many backup solutions like Rclone, DeltaCopy, and ChronoSync, as well as in cloud and server management operations and public file distribution.
The flaws are tracked as CVE-2024-12084 (heap buffer overflow), CVE-2024-12085 (information leak via uninitialized stack), CVE-2024-12086 (server leaks arbitrary client files), CVE-2024-12087 (path traversal via --inc-recursive option), CVE-2024-12088 (bypass of --safe-links option), and CVE-2024-12747 (symbolic link race condition).
QNAP says they affect HBS 3 Hybrid Backup Sync 25.1.x, the company's data backup and disaster recovery solution, which supports local, remote, and cloud storage services.
